Fails to load resources from classpath that contains /../
kimnilsson opened this issue ยท 10 comments
Since the bump to alpine 3.13 (from 3.12) and thus glibc 2.33 (from 2.31) it is no longer possible to read resources from any classpath containing /../. I.e. -classpath switch does not seem to deal correctly with any path containing /../.
This behavior seems to be depending on what kernel version that it is running on. We ran into this on AWS ECS which is running a kernel based on 4.14. We've not been able to reproduce it locally (I've tried a bunch of different 5.x.y kernels).
We've created a simple script that can be used to reproduce this problem when run using the kernel mentioned below.
System information:
/relative-classpath # uname -a
Linux ac720fb655fc 4.14.225-169.362.amzn2.x86_64 #1 SMP Mon Mar 22 20:14:50 UTC 2021 x86_64 Linux
/relative-classpath # java -version
openjdk version "1.8.0_292"
OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_292-b10)
OpenJDK 64-Bit Server VM (AdoptOpenJDK)(build 25.292-b10, mixed mode)Docker image info
$ docker inspect adoptopenjdk/openjdk8:alpine-slim
[
{
"Id": "sha256:84c108f063dd1a42f436f6774ed7aee780ca457efe94eaf49cfea720595691b7",
"RepoTags": [
"adoptopenjdk/openjdk8:alpine-slim"
],
"RepoDigests": [
"adoptopenjdk/openjdk8@sha256:b53d1fb07ffe34a64f9a9040fa66a2679b11ce779c6822666998f7f3f4e11d36"
],
"Parent": "",
"Comment": "",
"Created": "2021-05-18T15:13:37.146329757Z",
"Container": "07af33e5c84561d4514c169e6637959871747bee06ba253eb38a4b5f49b40a5d",
"ContainerConfig": {
"Hostname": "xxxx",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"LANG=en_US.UTF-8",
"LANGUAGE=en_US:en",
"LC_ALL=en_US.UTF-8",
"JAVA_VERSION=jdk8u292-b10",
"JAVA_HOME=/opt/java/openjdk"
],
"Cmd": [
"/bin/sh",
"-c",
"#(nop) ",
"ENV JAVA_HOME=/opt/java/openjdk PATH=/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Image": "sha256:33a52efc24ba69a77de37a9c09f9c81ef77d26246d8e505556ecadd32f46d25b",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": {}
},
"DockerVersion": "20.10.6",
"Author": "",
"Config": {
"Hostname": "",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"LANG=en_US.UTF-8",
"LANGUAGE=en_US:en",
"LC_ALL=en_US.UTF-8",
"JAVA_VERSION=jdk8u292-b10",
"JAVA_HOME=/opt/java/openjdk"
],
"Cmd": [
"/bin/sh"
],
"Image": "sha256:33a52efc24ba69a77de37a9c09f9c81ef77d26246d8e505556ecadd32f46d25b",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": null
},
"Architecture": "amd64",
"Os": "linux",
"Size": 117074400,
"VirtualSize": 117074400,
"GraphDriver": {
"Data": {
"LowerDir": "/var/lib/docker/overlay2/5611464ff35223e4b513b3bc271a1b7f64207555bc483f5d6db536262940a564/diff:/var/lib/docker/overlay2/b36db3e2d81196ec218698a44aeb4ac7f90f9b4fdc2e196b65d1c11706df8eb3/diff:/var/lib/docker/overlay2/ef8ba718426b9ffe95c0340ada0fc61207d84d5d6845661692c466c8012f9466/diff",
"MergedDir": "/var/lib/docker/overlay2/857ecdbd42a22ad138a25f13895019a93c16d40fdfd8ae62e3ef21961b3dfa01/merged",
"UpperDir": "/var/lib/docker/overlay2/857ecdbd42a22ad138a25f13895019a93c16d40fdfd8ae62e3ef21961b3dfa01/diff",
"WorkDir": "/var/lib/docker/overlay2/857ecdbd42a22ad138a25f13895019a93c16d40fdfd8ae62e3ef21961b3dfa01/work"
},
"Name": "overlay2"
},
"RootFS": {
"Type": "layers",
"Layers": [
"sha256:b2d5eeeaba3a22b9b8aa97261957974a6bd65274ebd43e1d81d0a7b8b752b116",
"sha256:9e41ac94a88d59836ac6d48897662afe00eea8547bf4b6dd432999b1059fce32",
"sha256:cd6d511460bf1eedaaadcfbb1efe42ec774add4cc5eb5dcf38c588673b7d6629",
"sha256:2dcef8f89855b9c42b45e5873799224de73f1ef43e7e69d3510f4fea6c05bc86"
]
},
"Metadata": {
"LastTagTime": "0001-01-01T00:00:00Z"
}
}
]
Running into same issue. Our docker image used a previous version of adoptopenjdk/openjdk11:alpine-jre (Alpine 3.12.6 based) runs correctly under 3.x/4.x kernel, while the latest on (Alpine 3.13.5 based) running into this issue.
Using "-jar" seems to be affected too. Also when calling "toRealPath" on relative paths an UnsupportedOperationException is thrown making applications that rely on it unusable.
Caused by: java.nio.file.FileSystemException: .: Operation not permitted
at sun.nio.fs.UnixException.translateToIOException(UnixException.java:100) ~[?:?]
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106) ~[?:?]
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) ~[?:?]
at sun.nio.fs.UnixPath.toRealPath(UnixPath.java:852) ~[?:?]
Is there some workaround available? Like using an older tag or something?
Edit: Using the debain or ubuntu based image worked for me, but I had to adjust the Dockerfile which might not be easy in some cases
Using "-jar" seems to be affected too. Also when calling "toRealPath" on relative paths an UnsupportedOperationException is thrown making applications that rely on it unusable.
Caused by: java.nio.file.FileSystemException: .: Operation not permitted at sun.nio.fs.UnixException.translateToIOException(UnixException.java:100) ~[?:?] at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106) ~[?:?] at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) ~[?:?] at sun.nio.fs.UnixPath.toRealPath(UnixPath.java:852) ~[?:?]
Ah, yes. It seems it's a general problem with paths then, that makes sense.
Is there some workaround available? Like using an older tag or something?
I'm not aware of any workaround. We reverted to a previous build, e.g. adoptopenjdk/openjdk8:jdk8u282-b08-alpine-slim
I'm not aware of any workaround. We reverted to a previous build, e.g. adoptopenjdk/openjdk8:jdk8u282-b08-alpine-slim
Reverting to adoptopenjdk/openjdk16-openj9:jdk-16_36_openj9-0.25.0-alpine-slim seems to work for me too but 'll just use debianslim for now.
Also because I didn't mention it before: My issue appears in Java 16 with OpenJ9 but I still think it's probably related to all alpine images. Sadly I cannot run the program on Java 8 to see if it acts in the same way because it requires at least Java 11 (which btw also brings up the same issue using the alpine-slim OpenJ9 image).
Strangely enough using adoptopenjdk/openjdk16:alpine-slim makes the application work again but using adoptopenjdk/openjdk11:alpine-slim doesn't. It looks to me like this is an issue with the JVM and Alpine 3.13 that was fixed in HotSpot after Java 11 but still exists in OpenJ9. Very strange.
Created eclipse-openj9/openj9#12993 to track for OpenJ9.
The latest adoptopenjdk/openjdk11:alpine-jre still have such issue (DIGEST:sha256:69c257f50bbc4b47a701c6cb0686f1c20bc437a127cb2315ceb671b86718cd15)
https://hub.docker.com/layers/adoptopenjdk/openjdk11/alpine-jre/images/sha256-69c257f50bbc4b47a701c6cb0686f1c20bc437a127cb2315ceb671b86718cd15?context=explore
The latest adoptopenjdk/openjdk11:alpine-jre still have such issue (DIGEST:sha256:a5f72791e32e1d3493f602bde395508147e35e42669bd4a014cc3b87a9f918a6)
https://hub.docker.com/layers/adoptopenjdk/openjdk11/alpine-jre/images/sha256-a5f72791e32e1d3493f602bde395508147e35e42669bd4a014cc3b87a9f918a6?context=explore
Checked by rebuilding the image with alpine 3.13 (or 3.14) with glibc 2.31 (or 2.32) CANNOT reproduce this issue. While using glibc 2.33 CAN reproduce this issue. So confirmed due to incompatibility with glibc 2.33.
Please consider to downgrade glibc back to 2.32 / 2.31.
The latest adoptopenjdk/openjdk11:alpine-jre still have such issue (DIGEST:sha256:53aaa21ec013e4eda23cf25cafcb0a994945cb5bf119332db70c8c9288fb43d0)
https://hub.docker.com/layers/adoptopenjdk/openjdk11/alpine-jre/images/sha256-53aaa21ec013e4eda23cf25cafcb0a994945cb5bf119332db70c8c9288fb43d0?context=explore
Use eclipse-temurin:11-jre-alpine works fine
(DIGEST:sha256:68a61bdf11c53dd0d2396bfe631877a300db41329847b487aa06ea5a4f51cecf)
https://hub.docker.com/layers/eclipse-temurin/library/eclipse-temurin/11-jre-alpine/images/sha256-68a61bdf11c53dd0d2396bfe631877a300db41329847b487aa06ea5a4f51cecf?context=explore
For newcomer, please use eclipse-temurin:11-jre-alpine and forget about adoptopenjdk/openjdk11:alpine-jre
eclipse-temurin:8-jre-focal works correctly